The document discusses changes to the requirements of PCI DSS 3.0 that will impact organizations. It highlights new requirements for annual penetration testing, documenting vulnerabilities from the past 12 months, and conducting a risk assessment based on an industry framework. These changes will significantly increase the resources needed for compliance.

1. Restricting
Authenticating
Tracking
User Access?
Time Is Not
On Our Side!
PCI DSS Req. 7, 8, 10
Authored by VIMRO’s Cybersecurity Leaders
12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191
Any reference to cybersecurity in the Payment Card Industry (PCI)
context strikes fear into the hearts of professionals across the globe. Its
nebulous requirements and their extensive drain on both IT and busi-
ness efforts can eat up resources faster than an F22 fighter jet gulping
down jet fuel. Worse yet are the constantly changing standards! The
latest incarnation of the Data Security Standard (PCI DSS 3.0) contains
new language that leaves a considerable gap in understanding the chang-
es to the requirements imposed on organizations.
VIMRO has examined the PCI DSS language closely. We have compiled
both general and specific items to address during a PCI DSS compliance
effort. One of the most significant changes in the 3.0 verbiage is the
requirement for a penetration test. (As VIMRO has discussed in prior
whitepapers, a security scan or vulnerability assessment is not the same
as a penetration test.)
The penetration test is prescribed by PCI DSS requirement 11.3. The
DSS requires the testing of both network and application layers, and this
includes both internal and external testing against each network and
application. The requirement also calls for re-testing after making any
material changes to a computer network or application environment; this
is to ensure that the architectural modification did not create any new
vulnerabilities. In addition to the initial testing and the occasional testing
dictated by software modifications, penetration testing is also required
on an annual basis—at minimum. The change cycle for a company’s PCI
DSS network and applications also requires a penetration test with each
modification.
The PCI DSS Reaper
Are you ready for what's coming?
How Are You
Restricting
Authenticating
Tracking
User Access?

2. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
And that’s not all!
The methodology used in the penetration test must be based on an
“industry-accepted standard.” At least four different methodologies
come to mind at the time of writing, and applying the wrong methodol-
ogy can cripple your compliance efforts. A given methodology can
reduce or dramatically inflate the scope of your compliance efforts.
Furthermore, you must maintain a documented review of any threats
and vulnerabilities your organization has experienced in the past 12
months. “Yes,” I hear you say, “That’s fine.” But consider that this docu-
mentation means a lot of work for you and your IT resources. It means
careful recognition, logging, and outcome analysis of the vulnerabilities
to which you have been exposed in the past 12 months. “Vulnerabilities”
includes Heartbleed, it includes Poodle, and it includes just about every
nasty named—and unnamed—threat that may have affected your IT
environment (and yes, for Windows, it includes your recent SChannel
vulnerability).
If that was not enough, PCI DSS 3.0 lists a new requirement for a risk
assessment. The risk assessment must cover all risks affecting your
carefully managed credit card data, and must be based on an “indus-
try-recognized framework.” “Ah, but we take care of that with vulnera-
bility scans and penetration testing,” you may reply. Unfortunately,
vulnerability scans and penetration tests exclude the people and process-
es who would be covered by the risk assessment; people like John, who
prints out those reports containing card data; and people like those rows
of call center operators, who key transactions and card data into pay-
ment processing systems.
The impact of PCI DSS 3.0 has many additional implications. Those
discussed above are only a handful of the key items. Contact VIMRO
now to learn how our solutions can help your business.
The PCI DSS Reaper
Are you ready for what's coming?
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Service Providers must
state in writing that
they are responsible
for the security of all
cardholder data they
manage!
PCI DSS Req. 12.9
Effective July 2015